Select Page

If you haven’t seen it yet, the new theory is that “one security worker” is at fault for the Equifax breach.  Rick Smith, former Equifax CEO and now CEO of “lying facedown in some alley, Inc” testified before congress that, “…protocol broke down at Equifax due to human error, meaning no one was told to apply patches for the flaw. And, astonishingly, this is all one person’s fault rather than an obvious failure for the business as a whole…”

Bull.  This statement is irresponsible, and also a microcosm of why Equifax got hacked in the first place.  Why?  Because if ensuring that 145 million people’s data isn’t compromised is one person’s job, there’s an institutional problem.

Here’s what I mean.  Let’s assume that there’s someone that works at Equifax as a security ops guy.  Let’s call him “Billy”.  Now, the ex-CEO’s position seems to be that there was a meeting about whether to patch for the Apache Struts issue where Billy did some “human error” that caused the patch to not get applied.  They didn’t say what exactly – maybe he took the action to go patch the issue and he failed to do it… or maybe he forgot to bring that one up in the meeting… or maybe he forgot to write it down on his task list… or maybe it got accidentally left out of the meeting minutes.  It doesn’t matter.  It’s horse shiz anyway.

Here’s the deal.  Why is this one person’s sole responsibility anyway?  If it is, it’s an institutional problem.  For it to be “Billy’s fault”, that would mean he would have been responsible for all of the various decisions that caused cascading failure down the line – and also “Billy’s fault” for not setting up any mechanisms to catch human error, prioritize patches, or otherwise fill in the gaps.  For example, who’s decision was it to not encrypt the data to keep it protected if it’s stolen?  Billy.  Who decided to not scan for vulnerabilities to find the missing patch?  Billy.  Who neglected to automate the process so that patches this big couldn’t be overlooked?  Billy.  No patch management?  Billy.  IDS/IPS failure?  Billy.  Missing exfiltration alerts?  Billy.

One of two things is true: either “Billy” is in a job that is so tremendously overscoped, with absolutely no automated processes that compensate for human error (which I would argue is the fault of Equifax’s management), or alternatively the failure was systemic and institutional (which I would argue is also the fault of Equifax management). So either way you slice it, Equifax leadership was at fault.  Billy is just a convenient scapegoat.

Ultimately, the Equifax issue rests solely at the feet of the CEO.  I get it that he’d love something else to be true — like that Billy is the reincarnation of Korrok the Slavemaster from John Dies at the End.  Because I’m sure he’s excited to go parasailing on his golden parachute or whatever — but really his attempt to deflect the blame onto some unnamed IT dude is transparently disingenuous, dangerous if believed, and does absolutely nothing to address the broader issue.

The point?  Let’s hope people have the sense to see through the lame excuses to what was really going on.  I’m skeptical, but I’m hopeful people are smarter than that.